Attorneys representing a potentially large group of residents and employees of nursing home behemoth Avamere Holdings announced they have filed a class action suit accusing the long-term care provider of failing to protect its residents and staff from a massive cyberattack.

The operator faces the class-action lawsuit over a data breach believed to have affected more than 380,000 people across the company’s 96 healthcare sites. Plaintiffs’ attorneys also questioned why the company initially reported a smaller number of potential victims (200,000).

The Wilsonville, OR-based company operates skilled nursing facilities and senior living communities throughout the West. The breach reportedly affected facilities located in Oregon, Washington, Arizona, Colorado, Nevada and Utah.

A company representative said they were simply being careful when they notified potentially affected individuals. 

“Out of an abundance of caution, Avamere Health Services recently notified certain individuals whose information was included in a security incident involving unauthorized access to a third-party hosted network utilized by Avamere,” Kevin Hill, general counsel for Avamere, told McKnight’s Long-Term Care News. “Although we cannot comment on any pending litigation, we remain committed to protecting the privacy and security of personal information.”

Portland lawyer Nick Kahl filed the lawsuit on Aug. 24 on behalf of a former Avamere employee. The suit faults “Avamere’s failure to protect its computer systems from unauthorized access by cybercriminals” despite numerous industry warnings and earlier breaches.

The lawsuit also alleges Avamere waited more than two months to notify people of the breach, which included theft of names, birth dates, addresses, Social Security numbers, lab results and information about medical conditions and medication, according to the company.

An unauthorized individual gained access to an Avamere third-party-hosted network between Jan. 19 and March 17, 2022, according to the HIPAA Journal, a privacy publication. The breach was eventually discovered by Avamere on May 18; victims were notified on July 13.

Kahl’s lawsuit claims victims’ personal information “is likely for sale to criminals on the dark web, meaning that unauthorized parties accessed and viewed their unencrypted, unredacted information, including names, addresses, email addresses, dates of birth, Social Security numbers, bank account information, private health information, and more.”

He added those victims suffered “losses in the form of loss of the value of their private and confidential information, loss of the benefit of their contractual bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.”

“Out of an abundance of caution, Avamere Health Services recently notified certain individuals whose information was included in a security incident involving unauthorized access to a third-party hosted network utilized by Avamere,” Kevin Hill, general counsel for Avamere, told McKnight’s Long-Term Care News. “Although we cannot comment on any pending litigation, we remain committed to protecting the privacy and security of personal information.”

Avamere had previously claimed that it took steps to improve its data protection following the breach. It also encouraged people to call a hotline for more information and offered complimentary credit monitoring services as well as best practices to protect their information.

Another cyberattack

Around the same time as legal proceedings were beginning in the Avamere case, the Department of Health and Human Services warned of another potentially massive cyberattack threatening healthcare providers.

Dubbed “Karakurt” by the agency’s Cybersecurity Coordination Center, the ransomware group has attacked at least four unidentified provider organizations in the last three months. Those observed attacks included an assisted living community, a dental firm, a provider and a hospital.

The Karakurt actors typically claim to steal data and threaten to auction it off on the dark web or release it to the public unless their demands are met. Ransoms range from $25,000 to $13 million in Bitcoin with deadlines often set to expire within just one week.